You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@struts.apache.org by "Kevin Decker (JIRA)" <ji...@apache.org> on 2008/08/22 21:59:24 UTC

[jira] Created: (WW-2782) 2.0.11.1 Websphere Workaround Incorrect

2.0.11.1 Websphere Workaround Incorrect
---------------------------------------

                 Key: WW-2782
                 URL: https://issues.apache.org/struts/browse/WW-2782
             Project: Struts 2
          Issue Type: Bug
          Components: Documentation
    Affects Versions: 2.0.11.2
            Reporter: Kevin Decker


>From all of the documentation that I could find regarding resolutions for the S2-003 security bulletin, effectively involve one of two paths if websphere support is required. Both of these workarounds failed within my testing environment.

1) Use annotations for validation.
I was not able to make this work. It seemed as though Websphere would fail any time there was a validation interceptor on the stack. I was also unable to get a root cause stack frame due to my unfamilarity with the Websphere architecture and the root cause being masked by the FileNotFoundException filter issue. Punted on this solution due to time constraints.

2) Use excludeParams to filter out possibly malicous parameter names.
It appears that the reg ex given for this filter is incorrect.

Given filter: <param name="excludeParams">.*[[^\\p{Graph}][\\\\#:=]].*</param>

When this was applied to the params interceptor, the config parser converted this into the java string defined by the following:
".*[[^\\\\p{Graph}][\\\\\\\\#:=]].*"

Breaking the \p{Graph} class, causing this expression to match just about anything that has characters outside of this set [Graphp{}\] (unescaped string).

This XML fragment appears to resolve the issue:
 <param name="excludeParams">.*[[^\p{Graph}][\\#:=]].*</param>

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Commented: (WW-2782) 2.0.11.1 Websphere Workaround Incorrect

Posted by "James Holmes (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/struts/browse/WW-2782?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=45206#action_45206 ] 

James Holmes commented on WW-2782:
----------------------------------

Is this even an issue now that Struts 2.0.14 has been released? Have you tried using the latest 2.0.14 release?

> 2.0.11.1 Websphere Workaround Incorrect
> ---------------------------------------
>
>                 Key: WW-2782
>                 URL: https://issues.apache.org/struts/browse/WW-2782
>             Project: Struts 2
>          Issue Type: Bug
>          Components: Documentation
>    Affects Versions: 2.0.11.2
>            Reporter: Kevin Decker
>
> From all of the documentation that I could find regarding resolutions for the S2-003 security bulletin, effectively involve one of two paths if websphere support is required. Both of these workarounds failed within my testing environment.
> 1) Use annotations for validation.
> I was not able to make this work. It seemed as though Websphere would fail any time there was a validation interceptor on the stack. I was also unable to get a root cause stack frame due to my unfamilarity with the Websphere architecture and the root cause being masked by the FileNotFoundException filter issue. Punted on this solution due to time constraints.
> 2) Use excludeParams to filter out possibly malicous parameter names.
> It appears that the reg ex given for this filter is incorrect.
> Given filter: <param name="excludeParams">.*[[^\\p{Graph}][\\\\#:=]].*</param>
> When this was applied to the params interceptor, the config parser converted this into the java string defined by the following:
> ".*[[^\\\\p{Graph}][\\\\\\\\#:=]].*"
> Breaking the \p{Graph} class, causing this expression to match just about anything that has characters outside of this set [Graphp{}\] (unescaped string).
> This XML fragment appears to resolve the issue:
>  <param name="excludeParams">.*[[^\p{Graph}][\\#:=]].*</param>

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Commented: (WW-2782) 2.0.11.1 Websphere Workaround Incorrect

Posted by "Kevin Decker (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/struts/browse/WW-2782?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=45232#action_45232 ] 

Kevin Decker commented on WW-2782:
----------------------------------

We intend to upgrade to the latest version of struts in the near future. Our QA department isn't scheduled to examine the branch that the struts upgrade will be going into for quite some time so I will try to test this myself and update the bug with the results.

> 2.0.11.1 Websphere Workaround Incorrect
> ---------------------------------------
>
>                 Key: WW-2782
>                 URL: https://issues.apache.org/struts/browse/WW-2782
>             Project: Struts 2
>          Issue Type: Bug
>          Components: Documentation
>    Affects Versions: 2.0.11.2
>            Reporter: Kevin Decker
>
> From all of the documentation that I could find regarding resolutions for the S2-003 security bulletin, effectively involve one of two paths if websphere support is required. Both of these workarounds failed within my testing environment.
> 1) Use annotations for validation.
> I was not able to make this work. It seemed as though Websphere would fail any time there was a validation interceptor on the stack. I was also unable to get a root cause stack frame due to my unfamilarity with the Websphere architecture and the root cause being masked by the FileNotFoundException filter issue. Punted on this solution due to time constraints.
> 2) Use excludeParams to filter out possibly malicous parameter names.
> It appears that the reg ex given for this filter is incorrect.
> Given filter: <param name="excludeParams">.*[[^\\p{Graph}][\\\\#:=]].*</param>
> When this was applied to the params interceptor, the config parser converted this into the java string defined by the following:
> ".*[[^\\\\p{Graph}][\\\\\\\\#:=]].*"
> Breaking the \p{Graph} class, causing this expression to match just about anything that has characters outside of this set [Graphp{}\] (unescaped string).
> This XML fragment appears to resolve the issue:
>  <param name="excludeParams">.*[[^\p{Graph}][\\#:=]].*</param>

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Resolved: (WW-2782) 2.0.11.1 Websphere Workaround Incorrect

Posted by "James Holmes (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/struts/browse/WW-2782?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

James Holmes resolved WW-2782.
------------------------------

       Resolution: Fixed
    Fix Version/s: 2.0.14

Great, thanks for following up.

Closing this as fixed per the original reporter.

> 2.0.11.1 Websphere Workaround Incorrect
> ---------------------------------------
>
>                 Key: WW-2782
>                 URL: https://issues.apache.org/struts/browse/WW-2782
>             Project: Struts 2
>          Issue Type: Bug
>          Components: Documentation
>    Affects Versions: 2.0.11.2
>            Reporter: Kevin Decker
>             Fix For: 2.0.14
>
>
> From all of the documentation that I could find regarding resolutions for the S2-003 security bulletin, effectively involve one of two paths if websphere support is required. Both of these workarounds failed within my testing environment.
> 1) Use annotations for validation.
> I was not able to make this work. It seemed as though Websphere would fail any time there was a validation interceptor on the stack. I was also unable to get a root cause stack frame due to my unfamilarity with the Websphere architecture and the root cause being masked by the FileNotFoundException filter issue. Punted on this solution due to time constraints.
> 2) Use excludeParams to filter out possibly malicous parameter names.
> It appears that the reg ex given for this filter is incorrect.
> Given filter: <param name="excludeParams">.*[[^\\p{Graph}][\\\\#:=]].*</param>
> When this was applied to the params interceptor, the config parser converted this into the java string defined by the following:
> ".*[[^\\\\p{Graph}][\\\\\\\\#:=]].*"
> Breaking the \p{Graph} class, causing this expression to match just about anything that has characters outside of this set [Graphp{}\] (unescaped string).
> This XML fragment appears to resolve the issue:
>  <param name="excludeParams">.*[[^\p{Graph}][\\#:=]].*</param>

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Commented: (WW-2782) 2.0.11.1 Websphere Workaround Incorrect

Posted by "Kevin Decker (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/struts/browse/WW-2782?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=45239#action_45239 ] 

Kevin Decker commented on WW-2782:
----------------------------------

Updated to 2.0.14, removed the excludeParams param and did a quick test within our app. Everything seems fine. I don't believe this bug is still an issue since the docs in question were for a short term work around that a fix has been released for.

> 2.0.11.1 Websphere Workaround Incorrect
> ---------------------------------------
>
>                 Key: WW-2782
>                 URL: https://issues.apache.org/struts/browse/WW-2782
>             Project: Struts 2
>          Issue Type: Bug
>          Components: Documentation
>    Affects Versions: 2.0.11.2
>            Reporter: Kevin Decker
>
> From all of the documentation that I could find regarding resolutions for the S2-003 security bulletin, effectively involve one of two paths if websphere support is required. Both of these workarounds failed within my testing environment.
> 1) Use annotations for validation.
> I was not able to make this work. It seemed as though Websphere would fail any time there was a validation interceptor on the stack. I was also unable to get a root cause stack frame due to my unfamilarity with the Websphere architecture and the root cause being masked by the FileNotFoundException filter issue. Punted on this solution due to time constraints.
> 2) Use excludeParams to filter out possibly malicous parameter names.
> It appears that the reg ex given for this filter is incorrect.
> Given filter: <param name="excludeParams">.*[[^\\p{Graph}][\\\\#:=]].*</param>
> When this was applied to the params interceptor, the config parser converted this into the java string defined by the following:
> ".*[[^\\\\p{Graph}][\\\\\\\\#:=]].*"
> Breaking the \p{Graph} class, causing this expression to match just about anything that has characters outside of this set [Graphp{}\] (unescaped string).
> This XML fragment appears to resolve the issue:
>  <param name="excludeParams">.*[[^\p{Graph}][\\#:=]].*</param>

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.